Net-OpenID 2.0 Support

29th Jan 2008

I've been working slowly on making Brad's Net::OpenID libraries for Perl support the 2.0 protocol. The consumer is now 95% there, though there are some remaining niggles including the fact that it doesn't currently work with Yahoo! because it fails to trim off the fragment part of the URL before doing the final verification sanity checks.

In the process of doing this I discovered that Yahoo!'s server implementation — the only implementation I know of that supports directed identity right now — will refuse to deal with relying parties that aren't running on port 80. My test RP runs on a random high port just because my port 80 is occupied by a real web server, but I had to do some proxy trickery to actually get Yahoo! to talk to me. I find this curious, since the OP never has to connect to the RP, so there's little reason to be fussy about the realm and return_to URLs.

The support in Net::OpenID::Server isn't even started yet. This is largely just because I've not got a satisfactory development/test environment for that set up yet.

You can watch progress on Six Apart's Trac instance for Net-OpenID if you are interested. There isn't really a mailing list for this stuff, sadly. The OpenID 2 development is going on in the "openid2" branch for now.

Re: Of course, the OP has to connect to the RP

That is something I'd overlooked, but it's interesting to note that my RP isn't even Internet-accessible -- it's on my LAN and uses a private IP address -- and yet every OP I've tested against has logged in to it just fine. It seems that implementors are currently ignoring that section of the spec for some reason. This is concerning, because it's liable to cause interop problems for RPs that have never been tested against an OP that actually does this relying party discovery.